Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-19 are pending in this office action. 

Priority
No foreign priority is claimed.


Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 08/16/2019 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 3-4, 10, 13-14, 16-19 are rejected under 35 U.S.C. 102(a)(1), 102(a)(2) as being anticipated by Krebs (US 2019/0052675 A1).
For claim 1, Krebs teaches a computer-implemented method for software intrusion detection, comprising: generating a honeypot patch for a computing system associated with a software vulnerability in a software installed on the computing system, wherein the software comprises at least one of an application and an operating system (para 0012-0013, 0020, 0033 - intrusion/vulnerability detection in an application and in operating system environment, wherein a honeypot environment instance is generated/installed);  
wherein the honeypot patch is configured to convert the computing system associated with the software vulnerability into a honeypot system configured to detect attempts to exploit the software vulnerability of the software (para 0033-0034 - honeypot generated at the application endpoint replacing or converting the attacked/vulnerable application instance into honeypot for further detection and mitigation of exploits), and in response, generate a security event associated with the software vulnerability (para 0020, 0022, 0029, 0034, 0037-0041 - events in terms of various actions such as disconnection events in response to attack detection); and 
modifying the software installed on the computing system using the generated honeypot patch (para 0027, 0033-0034, 0049, 0051 - replacement or modification of data in the application leads to modification of the software).

For claim 3, Krebs teaches wherein modifying the software installed on the computing system using the generated honeypot patch further comprises: generating a live patch based on the generated honeypot patch, wherein the live patch is configured to modify code of the software being executed without restarting the software (para 0027, 0029, 0032-0034, 0051, 0072-0073 - services or applications are updated/replaced with regards to code and configurations i.e. patched in, to maintain continuity via dynamic generation).

For claim 4, Krebs teaches wherein the honeypot patch comprises computer-executable instructions configured to detect the attempt to exploit the software vulnerability of the software using a conditional test for verifying security capability to be inserted into the original source code of the software (para 0027, 0033-0034, 0049-0051 - replacement of data/code in the application leads to modification of the software such that application code is replaced with capability to detect and mitigate attacks via test of conditions, wherein the honeypot is configured to detect and mitigate vulnerability and wherein the honeypot code with such capabilities is inserted in the software application environment).

For claim 10, Krebs teaches wherein the honeypot system configured to detect attempts to exploit the software vulnerability of the software is further configured to report the exploit attempts to a system administrator via a notification (para 0025, 0055 - alerts and warnings are reported to the administrator).

For claim 13, Krebs teaches wherein the honeypot system is further configured to, in response to detecting attempts to exploit the software vulnerability of the software, live migrate processes associated with the detected attack to an isolated system or a virtual machine (para 0033-0034, 0041, 0043 - migrate processes/application into a virtual machine infrastructure in isolation upon vulnerability detection).

For claim 14, Krebs teaches the method of claim 13, wherein current or future connections from an attacking address are routed to the isolated system or the virtual machine where the processes were migrated (para 0006, 0050, 0064-0065, 0069 - application access from the attacking applications are directed/redirected to new (replaced) system such as honeypot).

For claim 16, Krebs teaches wherein the honeypot system is further configured to, in response to detecting attempts to exploit the software vulnerability of the software, block at least a portion of network traffic from an original network address associated with the detected attack (para 0021, 0050, 0056 - block and/or redirect network traffic associated with attack).

For claim 17, Krebs teaches wherein the honeypot system is further configured to, in response to detecting attempts to exploit the software vulnerability of the software, fake to the attacker that the detected attack was successful (para 0020, 033, 0051, 0067 - attacker fed with realistic data as faking of successful attack).

For claim 18, Krebs teaches a system for software intrusion detection, comprising: a hardware processor configured to: 
generate a honeypot patch for a computing system associated with a software vulnerability in a software installed on the computing system, wherein the software comprises at least one of an application and an operating system (para 0004, 0012-0014, 0020, 0033 - intrusion/vulnerability detection in an application and in operating system environment, wherein a honeypot environment instance is generated/installed),
wherein the honeypot patch is configured to convert the computing system associated with the software vulnerability into a honeypot system configured to detect attempts to exploit the software vulnerability of the software (para 0033-0034 - honeypot generated at the application endpoint replacing or converting the attacked/vulnerable application instance into honeypot for further detection and mitigation of exploits),
and in response, generate a security event associated with the software vulnerability (para 0020, 0022, 0029, 0034, 0037-0041 - events in terms of various actions such as disconnection events in response to attack detection); and 
modify the software installed on the computing system using the generated honeypot patch (para 0027, 0033-0034, 0049, 0051 - replacement or modification of data in the application leads to modification of the software).

For claim 19, Krebs teaches a non-transitory computer readable medium comprising computer executable instructions for software intrusion detection, including instructions for: generating a honeypot patch for a computing system associated with a software vulnerability in a software installed on the computing system, wherein the software comprises at least one of an application and an operating system (para 0012-0014, 0020, 0033 - intrusion/vulnerability detection in an application and in operating system environment, wherein a honeypot environment instance is generated/installed);
wherein the honeypot patch is configured to convert the computing system associated with the software vulnerability into a honeypot system configured to detect attempts to exploit the software vulnerability of the software (para 0033-0034 - honeypot generated at the application endpoint replacing or converting the attacked/vulnerable application instance into honeypot for further detection and mitigation of exploits), and in response, generate a security event associated with the software vulnerability (para 0020, 0022, 0029, 0034, 0037-0041 - events in terms of various actions such as disconnection events in response to attack detection); and 
modifying the software installed on the computing system using the generated honeypot patch (para 0027, 0033-0034, 0049, 0051 - replacement or modification of data in the application leads to modification of the software).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2, 5-7, 11 are rejected under 35 U.S.C. 103 as being unpatentable over Krebs (US 2019/0052675 A1), in view of Sidiroglou et al. (US 2008/0141374 A1, Sidiroglou hereinafter).
For claim 2, Krebs teaches wherein modifying the software installed on the computing system using the generated honeypot patch further comprises: modifying original source code of the software using the honeypot patch (para 0027, 0033-0034, 0049, 0051 - replacement of data/code in the application leads to modification of the software such that application code is replaced). Although it would be obvious and is also well-known that code replacement requires software instance restart or recycle in order to affect the code execution, Krebs does not appear to explicitly disclose, however Sidiroglou teaches restarting execution of the software using an executable created by re-compiling the modified source code (Abstract; para 0021, 0037, 0050, 0053 - code transformation associated with the honeypot and compilation, and application restart). Based on Krebs in view of Sidiroglou, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Sidiroglou in the system of Krebs, in order to incorporate well-known honeypot mechanism in an IDS and incorporating code/environment transformation with regards to attacks, thereby making the IDS more dynamically adoptive and effectively versatile in order to not only be more effective in intrusion detection process of an application, but also to robustly secure the application data via application control.

For claim 5, Krebs does not appear to explicitly teach, however Sidiroglou teaches wherein the honeypot patch comprises computer-executable instructions configured to detect the attempt to exploit the software vulnerability of the software using a conditional test for whether the attempt is to cause a buffer overflow (para 0043, 0049, 0051-0052 - detect or catch an attempted buffer overflow condition via honeypot). Based on Krebs in view of Sidiroglou, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Sidiroglou in the system of Krebs, in order to address a commonly known vulnerability situation involving buffer overflow to exploit and attack the system, thereby making the system proactively more secure against such widely used attack strategies.

For claim 6, Krebs does not appear to explicitly teach, however Sidiroglou teaches wherein the software vulnerability comprises a memory use after free vulnerability (para 0051-0054 - segmentation fault owing to memory indicates improperly allocated or not allocated (free) memory being used). Based on Krebs in view of Sidiroglou, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Sidiroglou in the system of Krebs, in order to address a commonly known vulnerability situation involving memory violations or illegal memory usage to exploit and attack the system, thereby making the system proactively more secure against such widely used attack strategies.

For claim 7, Krebs in view of Sidiroglou teaches the claimed subject matter as discussed above. Krebs further teaches the method of claim 6, wherein the honeypot patch comprises computer-executable instructions configured to detect the attempt to exploit the software vulnerability of the software by: marking a data structure with a predetermined placeholder value; and verifying that the data structure does not contain the predetermined placeholder value (para 0052, 0056, 0060 - stored or predefined value in form of ruleset, for which anomaly triggered by attack vectors based on rule set that is anomalous or not being present in the predefined memory).

For claim 11, Krebs teaches wherein the honeypot system is further configured to, in response to detecting attempts to exploit the software vulnerability of the software, block intruder processes (para 0022 - system disconnect with regards to attacking processes, i.e. blocking the connection).
Krebs does not appear to explicitly teach, however Sidiroglou teaches kill and block intruder processes (para 0054-0056 - process kill and other means of transaction control associated with the process with regards to associated memory).
Based on Krebs in view of Sidiroglou, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Sidiroglou in the system of Krebs, in order to address a commonly known vulnerability situation and mitigation with respect to exploits and attacks in the system, thereby making the system proactively more secure against such widely used attack strategies.


Claims 8-9, 12, 15 are rejected under 35 U.S.C. 103 as being unpatentable over Krebs (US 2019/0052675 A1), in view of Swartz et al. (US 2007/0180509 A1, Swartz hereinafter).
For claim 8, Krebs does not appear to explicitly teach, however Swartz teaches wherein the software vulnerability comprises a race condition (para 0749 - vulnerability includes race condition vulnerabilities and hardening the system against that). Based on Krebs in view of Swartz, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Swartz in the system of Krebs, in order to address many of the commonly occurring vulnerability situations such as race condition vulnerabilities, thereby making the system proactively more secure against such attack strategies.

For claim 9, Krebs in view of Swartz teaches the claimed subject matter as discussed above. Krebs does not appear to explicitly teach, however Swartz further teaches the method of claim 8, wherein the honeypot patch comprises computer-executable instructions configured to detect the attempt to exploit the software vulnerability of the software using a set of conditional tests leading up to the race and software state manipulation (para 0485, 0505, 0748-0750 - conditionally restoring of state to a stored initialed state implies state manipulation occurs due to attack, and vulnerability includes race condition vulnerabilities and hardening the system against that).

For claim 12, Krebs does not appear to explicitly teach, however Swartz teaches wherein the honeypot system is further configured to, in response to detecting attempts to exploit the software vulnerability of the software, save a state of processes running on the honeypot system for further analysis (para 0408, 0419, 0485 - states are stored for further analysis and reversal to previous state). Based on Krebs in view of Swartz, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Swartz in the system of Krebs, in order to manage system states to effectively address vulnerability solutions, thereby making the system proactively more secure against such attack strategies.

For claim 15, Krebs does not appear to explicitly teach, however Swartz teaches wherein the honeypot system is further configured to, in response to detecting attempts to exploit the software vulnerability of the software, block a login of a user associated with the detected attack (para 0775-0777 - user access/login is controlled in users associated with attack). Based on Krebs in view of Swartz, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Swartz in the system of Krebs, in order to manage user authentications and user access, thereby making the system proactively more secure against unauthorized user access.

    
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433